Overview
You are looking for help with configuring DKIM or you need help to configure DKIM Headers and there are no help pages available in ListManager.
Information
What is DKIM?
- DKIM is an email authentication system that expands on the outdated DomainKeys standard, which was originally created in part by Yahoo.
- It gives ISPs and email receivers a mechanism for verifying the domain of each email sender, as well as a way to tell whether the message was altered during transit.
- Additionally, signing your mail with DKIM allows many ISPs to track the reputation of your signing domain, allowing you better control over your deliverability.
- We strongly recommend all senders configure DKIM signing.
- One of the reasons for this is that DKIM is the only way to enroll in the Yahoo feedback loop - it's not possible to process Yahoo spam complaints without having DKIM in place.
- To learn more about DKIM / Domain Keys, check the Domain Keys FAQ page in the ListManager documentation.
Configuring DKIM
- From the ListManager web interface, navigate to Utilities > Administration > Sites.
- Click 'Advanced Configuration' next to the desired site and you are presented with two lists:
- Configured Domains: this list shows the domains that have been configured before. You pick entries from this list to perform changes in configuration, like a key rotation or increasing the size (in bits) of a given key.
- Domains Requiring Configuration: here are listed the domains that are not configured yet and there are also the options to add and delete domains. If you don't see the domain you want to configure, click the 'Add Domain' button and input the domain, or click the 'Auto Populate' button to retrieve the domain defined in the site's definitions.
- The domain you should select depends on the From address you use for mailings. For example, if you have a site called Sales where all the lists use the From address 'newsletter@sales.example.com', then 'sales.example.com' is the sending domain you will want to configure so all outgoing emails are authenticated.
- The 'Selector' is an arbitrary value you choose:
- It is used primarily for uniqueness purposes, to allow multiple servers to sign DKIM for a single domain, for example.
- The specific value is not important as long as there are no other selectors using that value.
- It's generally easiest and most common to use alphanumeric characters for the selector, e.g., 'selector', '8675309', 'lyrisisgreat', 'mailstream1', etc.
- Technically, it can be any string that is considered legal in DNS and email headers. When you generate a new public/private key combination, you must choose a new selector. It is a good idea to do this periodically for increased security - this is commonly referred to as 'key rotation'.
- Click the 'Bits' drop-down list and choose a bit size:
- This number determines the size (in bits) of the private key. You can choose one of five sizes: 512, 758, 1024, 1536, or 2048 bits.
- It's recommended to use 1024 bits in most cases, and never below 1024, as these may be treated as insecure by some ISPs.
- The larger sizes offer greater security, but this is offset by a small penalty in CPU performance.
- Click the 'Generate Key' button. The private key and public key appear in the 'Private Key' and 'Public Key' boxes.
- This procedure runs a program called openssl.exe in the background. You can also generate public and private keys by running openssl.exe outside of ListManager.
- If you have existing public and private keys and don't need to generate them in ListManager, select the 'Paste Your Key' option and then paste your keys into the appropriate boxes.
- Click 'Save Key'. Leave this window open, as we're using the key in the next section.
Creating the DKIM/Domain Keys selector record
- The selector record holds your public key and must be published in DNS.
- Use a text editor to create the DKIM selector record as described below. Notepad will work if you're using Windows, but avoid using word processors like Wordpad or Microsoft Word, as these may modify elements in the record and cause signing issues.
- You can set up multiple selectors to be used on different servers if you like, or you can use one selector for all your outgoing emails.
- You can also create a selector that only works for one specific email address.
- Example selector record:
12345._domainkey.example.com IN TXT "k=rsa; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAlh28b20S2tETjIa4krj8lJFT8VhAHLmcCAwEAAQ==;"
- The selector record consists of the following three sections:
- In the above example,
12345
is the selector:- The selector must always be followed by the token
._domainkey.
and then the domain name, like this:12345._domainkey.example.com
- Make sure the selector you add to your selector record is the same as the one you used in the DKIM/DomainKey configuration.
- The selector must always be followed by the token
- Record identifier:
IN TXT
simply identifies the type of DNS record (TXT) we're using. - The public key itself, and associated information:
"k=rsa; p=MFwwDQYJK... [snip] ...CAwEAAQ=="
Please note that section 3 needs to be enclosed in quotation marks.
- In the above example,
- The key section should begin with
k=rsa;
. This specifies the type of signing algorithm in use. - The
p=[Public Key]
part contains the public key you generated in the configuration process earlier.- You will need to make a small change to the key format from what you've been provided in ListManager:
- LM provides the key with a specific number of characters per line, so the key spans multiple lines. You should remove the returns/line feeds so the key is a single line.
- Similarly, don't include the lines that read
-----BEGIN PUBLIC KEY-----
or-----END PUBLIC KEY-----
.
- These instructions cover the most common tags included in the signature - the vast majority of senders won't need to change this. However, if you'd like additional detail, to learn about other tag=value pairs and why you might want to include them, go to the IETF Tools page on RFC 4871 and review section 3.6.1.
When you're done, your record should look like the example above - but your record is likely to be longer, particularly the public key. That's normal.
Finally, publish this record in DNS.
Instructions for publishing in DNS aren't covered here, as this step happens outside of ListManager.
- Consult your DNS hosting provider or DNS host software manual for guidance on this process if necessary.
- Your IT or technical operations team may also be of assistance during this step.
Configuring DKIM Options
- Navigate to Utilities > Administration > Sites.
- Click the site for which you have set up DKIM signing, and then select the 'DKIM' tab.
- Ensure 'DKIM signing enabled' is set to yes and 'DKIM signing defaults to' is On.
- We currently do not recommend signing with DomainKeys as it is a deprecated standard replaced by DKIM, so please leave 'DomainKey signing' set to no, and defaults to Off.
- The 'Headers' section lets you assign specific headers to be included in the digital signature. We recommend including:
- From
- Reply-To
- To
- Subject
- Date
- List-Unsubscribe
- Content-Type
- Mime-Version
In some cases, message forwarding may cause the DKIM signature to become invalid for forwarded messages - although forwarded messages will usually make up a very small proportion of your overall recipients.If you find yourself running into issues caused by invalid signatures on forwarded messages, removing certain headers from the signature may help. However, doing so also increases the (small) chance that your DKIM signatures can be spoofed or forged, so it's best not to take that step unless you're experiencing a specific problem.
Testing
- Navigate to Utilities > Administration > Sites.
- Click 'Advanced Configuration' next to the site you'd like to validate the key for.
- Select the desired domain and click the 'Validate Key' button.
- Should you get a failure, verify that sufficient time has passed to allow your new DNS entries to propagate. This can take up to 48 hours depending on the DNS provider but is commonly much faster.
- Test that your messages are being signed by sending a message to yourself (at a domain that validates DKIM) so you can view the headers. Screenshots of how you can view headers can be found in the Domain Keys FAQ page, under the section “When I open a typical email, I only see a few of the most basic headers. How do I view all headers in Yahoo / Outlook / Gmail?”
- Gmail, Outlook, and Yahoo will all validate DKIM, but if you have multiple options, we've found it easiest to view the authentication results in Gmail.